Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

KV_MODE=xml not working but xmlkv is

willcwhite
Explorer
‎04-07-2020 01:00 PM

I have an app on a deployment server that takes in XML data, this app includes a props.conf with KV_MODE=xml.
When I see the data in Splunk, no XML fields are being extracted, but when I add | xmlkv to the end of my query, it extracts all XML fields. Since KV_MODE is for search time extractions does that mean that I have to also put this props.conf on the SHC? Or is there another reason why it's not working?

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎04-07-2020 10:16 PM

KV_MODE is search time attribute. This doesn't work in indexers. You need to add it in props.conf in search head(s).

KV_MODE = [none|auto|auto_escaped|multi|json|xml]
* Used for search-time field extractions only.
* Specifies the field/value extraction mode for the data.

View solution in original post

Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎04-07-2020 10:16 PM

KV_MODE is search time attribute. This doesn't work in indexers. You need to add it in props.conf in search head(s).

KV_MODE = [none|auto|auto_escaped|multi|json|xml]
* Used for search-time field extractions only.
* Specifies the field/value extraction mode for the data.

View solution in original post

Reply
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!

Get Updates on the Splunk Community!